Bearer - A New SAST Tool On The Block
Written by Nikos Vaggalis   
Thursday, 06 April 2023

Bearer is a code security scanning tool (SAST) under secretive development for the last two years that discovers, filters and prioritizes security risks and vulnerabilities. Now it's ready and has been open sourced.

Nowadays every company is a software house, regardless of the business it is in be it finance, manufacturing or healthcare. To provide value, businesses have to communicate through software applications built in-house or by a third party.

The problem is that cyber attackers will attack those applications, probing them to uncover vulnerabilities to exploit and get access to your internal networks, steal company and customer data or just create havoc.

These vulnerabilities occur because of bugs in the software and the most popular way in finding and fixing those bugs is by applying tooling like SAST to the source code.

We've examined several such tools in the past like Semgrep and Qodana. Bearer is one of the most recent and modern additions to that family of SAST tools. Bearer assesses the OWASP Top 10 security risks and vulnerabilities found in today's Web Applications employing native filtering and prioritization based on their impact on sensitive data by following a rule set which at the time of writing includes more than 100 rules.

Some practical examples of what kind of vulnerabilities Bearer under its rule engine can detect are:

  • Non-filtered user input that can lead to breaches of sensitive information.
  • Leakage of sensitive data through cookies, internal loggers, third-party logging services, and into analytics environments.
  • Usage of weak encryption libraries or mis-usage of encryption algorithms.
  • Unencrypted incoming and outgoing communication (HTTP, FTP, SMTP) of sensitive information.
  • Hard-coded secrets and tokens.

Bearer's built-in rules are optimized for discovering the most most critical security risks and vulnerabilities of web applications and include corresponding Common Weakness Enumeration (CWE) and OWASP links to help in identifying them. That said, the rule set can be easily be extended under a rules notation DSL taking shape as simple yaml files.


Bearer comes with two types of security scanners, SAST (default) and Secrets.

The SAST scanner is the default one if you don't specify any. This scanner uses the built-in rules to detect various security risks and vulnerabilities in your code.

The Secrets scanner type detects hard-coded secrets in your code. It checks for common secret patterns such as keys, tokens, and passwords using the popular Gitleaks library.

But that's not all;Bearer also discovers and classifies sensitive data by identifying patterns in the source code (not the values) by taking into consideration 120+ data types from sensitive data categories such as Personal Data (PD), Sensitive PD, Personally identifiable information (PII), Personal Health Information (PHI).

Some of the categories of data that Bearer understands are:

  • Personal Data
    • Authenticating
    • Mother's Maiden Name
    • Passwords
    • PIN
  • Behavioral Information
    • Browsing Behavior
  • Communication
    • Emails
    • Telephone Recordings
    • Voice Mail
  • Computer Device
    • Browser Fingerprint
    • Device identifier
    • IP address
    • Mac address

The practicality of recognizing the presence of a sensitive data pattern in the source code is that, for example, you can be warned:

if you are communicating an email address to an unsecured API or if you are using a weak encryption library in an application that processes any sensitive data

as such averting a potential data breach or leak.

As Bearer is a CLI tool, the quickest way to install it is with its install script:

curl -sfL
  Bearer/bearer/main/contrib/ | sh

There's also a Docker image and there's also a GitHub action in order to intergrate it into the CI/CD workflow.

Afterwards, in order to scan your project, you point Bearer towards your project's directory with:

bearer scan project-dir

Once the scan is complete, Bearer will output a security report with details of any rules failures, as well as where in the codebase the infractions happened.

As far as language support goes, Bearer currently supports JavaScript and Ruby and their associated most used frameworks and libraries, but more are on the way, such as PHP, Go, Python, Java, and C#.

In closing, Bearer is certainly a noteworthy SAST tool, with its most valuable asset probably being the sensitive data patterns identification. As if that wasn't an incentive enough, then take account of its other great aspects, those of being free, open source and highly customizable.


More Information




Related Articles

JetBrains Qodana Adds Taint Analysis For PHP

Semgrep - More Than Just a Glorified Grep


To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.


Udacity's New Discovering Ethical AI Course

Udacity has just launched an hour-long course on Ethical AI. Intended for a wide audience across many industries, it introduces to basic concepts and terms needed to step into the world of Ethica [ ... ]

Apache Superset 4 Updates Reports

Apache Superset 4 has been released with improvements to the reporting module and redesigned alerts. Superset is a business intelligence web application. It is open source, provides data exploration a [ ... ]

More News

raspberry pi books



or email your comment to:

Last Updated ( Thursday, 06 April 2023 )